New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency setuptools to v70 [security] - autoclosed #209

Closed

renovate wants to merge 1 commit into master from renovate/pypi-setuptools-vulnerability

Contributor

renovate bot commented Aug 6, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
setuptools (changelog)	`^65.5.0` -> `^70.0.0`

GitHub Vulnerability Alerts

CVE-2024-6345

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Release Notes

pypa/setuptools (setuptools)

`v70.0.0`

`v69.5.1`

`v69.5.0`

`v69.4.2`

`v69.4.1`

`v69.4.0`

`v69.3.1`

`v69.3.0`

`v69.2.0`

`v69.1.1`

`v69.1.0`

`v69.0.3`

`v69.0.2`

`v69.0.1`

`v69.0.0`

`v68.2.2`

`v68.2.1`

`v68.2.0`

`v68.1.2`

`v68.1.0`

`v68.0.0`

`v67.8.0`

`v67.7.2`

`v67.7.1`

`v67.7.0`

`v67.6.1`

`v67.6.0`

`v67.5.1`

`v67.5.0`

`v67.4.0`

`v67.3.3`

`v67.3.2`

`v67.3.1`

`v67.2.0`

`v67.1.0`

`v67.0.0`

`v66.1.1`

`v66.1.0`

`v66.0.0`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependency setuptools to v70 [security]

90a7c29

Contributor Author

renovate bot commented Aug 6, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock

Updating dependencies
Resolving dependencies...


The current project's Python requirement (>=3.7,<4.0) is not compatible with some of the required packages Python requirement:
  - setuptools requires Python >=3.8, so it will not be satisfied for Python >=3.7,<3.8
  - setuptools requires Python >=3.8, so it will not be satisfied for Python >=3.7,<3.8
  - setuptools requires Python >=3.8, so it will not be satisfied for Python >=3.7,<3.8
  - setuptools requires Python >=3.8, so it will not be satisfied for Python >=3.7,<3.8
  - setuptools requires Python >=3.8, so it will not be satisfied for Python >=3.7,<3.8

Because no versions of setuptools match >70.0.0,<70.1.0 || >70.1.0,<70.1.1 || >70.1.1,<70.2.0 || >70.2.0,<70.3.0 || >70.3.0,<71.0.0
 and setuptools (70.0.0) requires Python >=3.8, setuptools is forbidden.
And because setuptools (70.1.0) requires Python >=3.8, setuptools is forbidden.
And because setuptools (70.1.1) requires Python >=3.8
 and setuptools (70.2.0) requires Python >=3.8, setuptools is forbidden.
So, because setuptools (70.3.0) requires Python >=3.8
 and slowapi depends on setuptools (^70.0.0), version solving failed.

  • Check your dependencies Python requirement: The Python requirement can be specified via the `python` or `markers` properties
    
    For setuptools, a possible solution would be to set the `python` property to ">=3.8,<4.0"
    For setuptools, a possible solution would be to set the `python` property to ">=3.8,<4.0"
    For setuptools, a possible solution would be to set the `python` property to ">=3.8,<4.0"
    For setuptools, a possible solution would be to set the `python` property to ">=3.8,<4.0"
    For setuptools, a possible solution would be to set the `python` property to ">=3.8,<4.0"

    https://python-poetry.org/docs/dependency-specification/#python-restricted-dependencies,
    https://python-poetry.org/docs/dependency-specification/#using-environment-markers

renovate bot changed the title ~~chore(deps): update dependency setuptools to v70 [security]~~ chore(deps): update dependency setuptools to v70 [security] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/pypi-setuptools-vulnerability branch

August 29, 2024 03:41

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet